Android Stagefright Exploit Released To The Public

Zimperium, the security company that initially found the vulnerabilities in Android's Stagefright media library, promised on August 5 that it would release an open source exploit for testing purposes. The company has now released the exploit in the wild to get Android OEMs to hurry up and deliver the patches to their devices, but also to allow other security experts to test whether their devices are still vulnerable.

Exploit in the wild

The publicly released exploit is not a "generic exploit," the company said, because it has only tested it on an older Nexus running Android 4.0.4. The Stagefright vulnerability used for the exploit has been neutered by Android 5.0's use of the GCC 5.0 compiler, which comes with integer overflow mitigation.

Zimperium's release of the exploit doesn't necessarily make it that much easier for attackers to exploit Stagefright, as other exploits have already been created that can even bypass Android's address space layout randomization (ASLR) protection, and there are likely to be more out there that we don't know about.

Upgrades still in poor shape

So far only Google (Nexus devices), Samsung, and LG have promised monthly security updates after the Stagefright vulnerabilities were first made public. However, a few other companies such as Motorola, HTC, Sony and others also started sending Stagefright patches for some of their devices.

The main problem here is that none of these companies are going to patch most of the exploitable devices, which includes all Android 2.3 devices and beyond, covering over 900 million smartphones and tablets. At best, the majority of the OEMs will upgrade their most popular devices from the past two years, and that's about it.

Because Google is not responsible with the updates for the Android ecosystem, that pits Android OEMs in a price race to the bottom, where the costs of developing new updates for smartphones gets discounted as unimportant, compared to other priorities such as using a better camera, processor or screen, or simply having a lower price than the competition. This situation may never be fixed by itself until Google takes the whole responsibility upon itself (and the OEMs allow it to do that).

Initial quick-fixes not enough

The Stagefright vulnerabilities were indeed a wake-up call for Google as well as some manufacturers but were unlikely to be big enough to make them consider a significantly improved upgrade system. After all, only three companies promised monthly security updates, and even they didn't say for how long that will be in place for certain devices, or whether all devices will be under the new update program.

Some apps such as Hangouts and Messenger have also been updated by Google to resist Stagefright exploits, considering the easiest way to attack a user is through an MMS or other video file sent to SMS or other messaging apps that have auto-retrieval of video files enabled.

However, this isn't the only way users can be attacked. They can also receive video files through the browser when visiting a website. Typically, the user would have to accept such a file, though, so the risk there is minimized.

Checking for Stagefright vulnerabilities

To check whether you're still vulnerable, you can use Zimperium's Detector app. The app now also checks against the bugs in the Stagefright library, which were unveiled shortly after the first Stagefright announcement was made by Exodus Intelligence. Patches for these latest bugs haven't been distributed to many devices yet, though, as they are set to arrive in the next batch of official upgrades from Android OEMs (which could be a few weeks for Google, LG and Samsung, or a few months for others).

Zimperium has also collaborated with Google to include the Detector app's logic into the Android Compatibility Test Suite (CST) to ensure that all new smartphones will be protected against these vulnerabilities.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • pug_s
    That's the major problem with Google's android even with 3+ year old devices IOS. They just assume that you throw away your device and get a new one. That's why I am more inclined to buy that Windows OS devices (except phones) are more future proof as they are more diligent about patches and updates.
    Reply
  • targetdrone
    Say what you will about Microsoft and security, at least you don't need to buy new hardware each time Microsoft releases a security patch because OEMs don't want to write a new firmware for hardware older than 6 months.

    Google really needs to crack down on the Android ecosystem by bypassing OEMs for OS updates, else fragmentation is only going to get worse, security is going to suffer severely. If Google doesn't get its act together Android might join Wang, Tandy, and Blackberry.
    Reply
  • captaincharisma
    Say what you will about Microsoft and security, at least you don't need to buy new hardware each time Microsoft releases a security patch because OEMs don't want to write a new firmware for hardware older than 6 months.

    Google really needs to crack down on the Android ecosystem by bypassing OEMs for OS updates, else fragmentation is only going to get worse, security is going to suffer severely. If Google doesn't get its act together Android might join Wang, Tandy, and Blackberry.

    LOL tell that to all the former windows supporters that got burned when MS didn't upgrade their phones to windows 8.
    Reply
  • vulcangrey
    My HTC ONE M9 on Sprit received the stagefright patch on Tuesday morning this week... And immediately afterward my screen won't turn off when idle... ever! I have to use the power button.

    And also my phone won't connect to my car stereo correctly (touch screen on the Pioneer Appradio2 won't work in app mode)... Either Pioneer was exploiting the stagefright bug to make their touchscreen integration work over bluetooth... Or HTC messed up something else while they were fixing the stagefright bug!
    Reply
  • therealduckofdeath
    There's a lot of negative hyperbole in this article, but that's unfortunately the standard we still have from gadget bloggers these days. The other day I skimmed through a story at iEngadget and the writer happily admitted that he always has a bias in favor Apple products, even when it doesn't make sense.

    I agree that Google has to take full responsibility for Android. It's not working the way they're "selling" it today. I have a Note 4 and only received the 5.1.1 update yesterday because the network provider I have insists on keeping the right to alter Android, but they have no interest in maintaining the software after they've sold the phone, despite their customers betting on two year contracts with them.
    Even the smallest Linux distribution on PC has timely updates for EVERYBODY, and they're doing that without getting paid for it.
    Fix it Google! The time for bad excuses is over.
    Reply
  • therealduckofdeath
    *being
    Reply
  • jalek
    Does anyone with a prepaid or off-contract plan ever get updates?
    I don't think I've seen an OTA update since I dropped my old post-paid service and I've had three carriers since.
    Reply
  • kenjitamura
    I got an update with the fix for this last night on my Moto G 2nd gen.
    Reply